Overview
Gatekeeper is macOS's code signing enforcement mechanism that controls which applications are allowed to execute. It verifies that downloaded applications are signed by an identified developer and (since macOS 10.15) notarized by Apple. The Gatekeeper approval database records every application that has been assessed, providing forensic evidence of application execution and user override decisions.
Forensic Significance
| Evidence Type | Forensic Value |
|---|
| Approved applications | Evidence of app execution (user clicked "Open" on blocked app) |
| Denied applications | Attempts to run unsigned/untrusted software |
| Override history | User deliberately bypassed Gatekeeper warnings |
| Policy configuration | Security posture (App Store only, identified developers, or anywhere) |
| Assessment timestamps | When apps were first executed |
File Locations
| File | Path | Format |
|---|
| SystemPolicy database | /var/db/SystemPolicy | SQLite |
| SystemPolicyConfiguration | /var/db/SystemPolicyConfiguration/KextPolicy | SQLite |
| Gatekeeper status | spctl --status (command) | API output |
| ExecPolicy database | /var/db/SystemPolicyConfiguration/ExecPolicy | SQLite (macOS 12+) |
Database Schema
SystemPolicy — authority table
| Column | Type | Description |
|---|
id | INTEGER | Primary key |
type | INTEGER | Rule type (1=execute, 2=install, 3=open) |
requirement | TEXT | Code signing requirement expression |
allow | INTEGER | 1=allowed, 0=denied |
disabled | INTEGER | Whether rule is disabled |
expires | REAL | Expiration timestamp |
label | TEXT | Human-readable label |
filter_unsigned | TEXT | Filter for unsigned code |
remarks | TEXT | Additional information |
ExecPolicy (macOS 12+) — executable_policy table
Tracks all executed binaries and their notarization status.
| Column | Type | Description |
|---|
bundle_id | TEXT | Application bundle identifier |
team_id | TEXT | Developer team identifier |
signing_id | TEXT | Code signing identifier |
cdhash | TEXT | Code directory hash |
responsible_path | TEXT | Path of the responsible process |
is_notarized | INTEGER | Whether the app is notarized by Apple |
Key Fields for Analysis
List Approved Applications
SELECT
requirement,
allow,
label,
remarks,
datetime(expires, 'unixepoch') AS expires_date
FROM authority
WHERE type = 1 AND allow = 1
ORDER BY expires DESC;
Notarization Status (macOS 12+)
SELECT
bundle_id,
team_id,
signing_id,
responsible_path,
is_notarized
FROM executable_policy
ORDER BY bundle_id;
Analysis Notes
- User overrides: When a user right-clicks and selects "Open" on a Gatekeeper-blocked application, an approval record is created. This is direct evidence that the user deliberately executed untrusted software.
- Policy status: Run
spctl --status to determine Gatekeeper's current enforcement mode. A disabled Gatekeeper (assessments disabled) indicates a significantly weakened security posture. - Unsigned code execution: Applications without valid code signatures that were approved indicate either legitimate developer tools or potentially malicious software.
- Team ID analysis: The
team_id field in ExecPolicy can identify the developer. Cross-reference with known malware developer team IDs. - SIP protection: The SystemPolicy database is protected by SIP. Modifications on a SIP-enabled system indicate compromise.
Version Differences
| macOS Version | Changes |
|---|
| 10.7 (Lion) | Gatekeeper introduced |
| 10.15 (Catalina) | Notarization required for all new software |
| 12 (Monterey) | ExecPolicy database added for comprehensive execution tracking |
| 13 (Ventura) | Enhanced notarization enforcement |
| Tool | Support |
|---|
| macfor | Not yet implemented (planned) |
| spctl (macOS built-in) | Query Gatekeeper status and assessments |
| sqlite3 | Manual database inspection |
| codesign (macOS built-in) | Verify code signatures |
References